Home > CyberSecurity > SIEM > Tech > Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-3

Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-3

April 14, 2024 , ,

 Here are some more queries you can use with Wazuh SIEM to search and analyze logs:

  1. Search for Suspicious User Agents:

    • Identify alerts related to suspicious or unauthorized user agents in web server logs.
    sql
    SELECT * FROM alerts WHERE rule.category = 'web' AND source.useragent LIKE '%suspicious%';

  2. Search for DNS Queries to Malicious Domains:

    • Look for DNS queries to known malicious domains or suspicious hostnames.
    sql
    SELECT * FROM alerts WHERE rule.category = 'dns' AND destination.domain IN ('malicious.com', 'suspicious.net');

  3. Search for Privilege Escalation Attempts:

    • Identify alerts related to attempts to escalate privileges or gain unauthorized access.
    sql
    SELECT * FROM alerts WHERE rule.category = 'privilege_escalation';

  4. Search for Account Lockouts:

    • Look for alerts related to account lockouts or user authentication failures due to repeated unsuccessful login attempts.
    sql
    SELECT * FROM alerts WHERE rule.category = 'account_lockout';

  5. Search for Policy Violations:

    • Identify alerts related to violations of security policies or compliance requirements.
    sql
    SELECT * FROM alerts WHERE rule.category = 'policy_violation';

  6. Search for Suspicious SSH Activity:

    • Look for alerts related to suspicious SSH activity, such as login attempts from unusual locations or multiple failed login attempts.
    sql
    SELECT * FROM alerts WHERE rule.category = 'authentication_failed' AND rule.description LIKE '%ssh%';

  7. Search for Inbound or Outbound Traffic Spikes:

    • Identify alerts related to sudden spikes in inbound or outbound network traffic.
    sql
    SELECT * FROM alerts WHERE rule.category = 'network_traffic' AND source.bytes > <threshold>;

  8. Search for Expired Certificates:

    • Look for alerts related to expired SSL/TLS certificates.
    sql
    SELECT * FROM alerts WHERE rule.category = 'ssl_certificate_expired';

  9. Search for Data Exfiltration Attempts:

    • Identify alerts related to potential data exfiltration or unauthorized data transfer.
    sql
    SELECT * FROM alerts WHERE rule.category = 'data_exfiltration';

  10. Search for System Crashes or Failures:

    • Look for alerts related to system crashes, hardware failures, or abnormal system behavior.
    sql
    SELECT * FROM alerts WHERE rule.category = 'system_crash';

These additional queries offer further options for analyzing different types of security events and anomalies within your environment. You can customize these queries based on your specific use cases and security monitoring requirements to effectively detect and respond to potential security threats.

Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-2

Wazuh: Log Analysis Queries with Use Cases for Effective Network Security Monitoring | Part-4

Post a Comment

No comments

Subscribe to: Post Comments ( Atom )
Powered by Blogger.